Eclipse Jetty
Monthly
HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.
HTTP request smuggling in Eclipse Jetty's HTTP/1.1 parser lets remote unauthenticated attackers desynchronize front-end/back-end request boundaries by abusing quoted-string chunk extensions. Jetty incorrectly terminates chunk-extension parsing at a CRLF located inside an unterminated quoted-string (e.g. `1;a="`) rather than rejecting it, so attacker-controlled bytes are reinterpreted as a second, smuggled request on the same TCP connection. Publicly available exploit code exists (a working Python PoC ships in the GHSA advisory), though EPSS is very low (0.03%, 9th percentile) and the issue is not on CISA KEV.
Privilege escalation in Eclipse Jetty 9.4.0-12.1.7 allows unauthenticated remote attackers to bypass authentication via ThreadLocal variable pollution in JASPIAuthenticator. Early returns from authentication checks fail to clear ThreadLocal values, causing subsequent requests on the same thread to inherit elevated privileges. CVSS 7.4 with high complexity but no authentication required. EPSS and KEV status not provided; no public exploit identified at time of analysis. Affects all major Jetty versions from 9.x through 12.x.